model checking i i
DESCRIPTION
Model Checking I I. How CTL model checking works. CTL. A E X F G U Model checking problem Determine M, s0 f Or find all s s.t. M, s f. Need only the boolean connectives ( , ) and - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/1.jpg)
Model Checking II
How CTL model checking works
![Page 2: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/2.jpg)
CTL
A E X F G U
Model checking problemDetermine M, s0 f
Or find all s s.t. M, s f
![Page 3: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/3.jpg)
Need only the boolean connectives ( , ) and E X F G Udefine otherse.g.AG p EF pA(p U q) E( q U p & q) & EG( q)
(Could skip EF and define in terms of EU, but hopefully seeing how EF is done aids understanding)
![Page 4: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/4.jpg)
Explicit state model checking
Option 1 CES (original paper)
Represent state transition graph explicitlyWalk around marking states
Graph algorithms involving strongly connected components etc.
Not covered in this course (cf. SPIN)Used particularly in software model checking
![Page 5: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/5.jpg)
Symbolic MC
Option 2 McMillan et al
because ofSTATE EXPLOSION problem
State graph exponential in program/circuit sizeGraph algorithms linear in state graph size
INSTEADUse symbolic representation of both sets of
statesand of state transtion graph
![Page 6: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/6.jpg)
Symbolic MC
Sets of states formulas
relations between states (BDDs)
Fixed point characerisations of CTL ops
NO explicit state graph
![Page 7: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/7.jpg)
A state
Vector of boolean variables
(v1,v2,v3, …., vn) {0,1}n
![Page 8: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/8.jpg)
Boolean formulas
(x y) z ( is exclusive or)
(1 0) 0 = 1assignment [x=1,y=0,z=0] gives answer 1is a model or satisfying assignment
Write as 100
Exercise: Find another model
![Page 9: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/9.jpg)
Boolean formulas
(x y) z(1 1) 0 = 0
assignment [x=1,y=1,z=0] is not a model
![Page 10: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/10.jpg)
Formula is a tautology if ALL assignments are models and is contradictory if NONE is.
![Page 11: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/11.jpg)
Boolean formulas
For us, interesting formulas are somewhere in between: some assignments are models, some not
IDEA: A formula can represent a set of states (its models)
![Page 12: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/12.jpg)
{} false {111} x y z {101} x y z {111,101} x z
. . {000,001, … , 111} true
![Page 13: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/13.jpg)
Example
(x y) z represents {100,010,001,111} for states of the form xyz
Exercise: Find formulas (with var. names x,y,z) for the sets
{}{100}{110,100,010,000}
![Page 14: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/14.jpg)
What is needed now?
A good data structure for boolean formulas
Binary Decision Diagrams (BDDs) Lee (Bell Systems Tech. Journal 59)
Akers (IEEE Trans. Comp 78)Bryant (IEEE Trans. Comp. 86, most cited CS
paper!)see also Bryant’s document about a Hitachi
patent from 93McMillan saw application to symbolic MC
![Page 15: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/15.jpg)
Binary Decision Diagrams
Canonical form (constant time comparison)
Polynomial algorithms for ’and’, ’or’, ’not’ etc.
Exponential but practically efficient algorithm for boolean quantification (even of sets of variables)
Read Hu’s excellent tutorial paper (See Course Literature)
(Presentation based on lecture notes by Ken McMillan)
![Page 16: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/16.jpg)
Ordered Decision Tree
a
c
d d d d d d d d
c c c
b b
0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1
ab + cd(ab) (cd)
0 1
0 1 0 1
0 1 0 1 0 1 0 1
![Page 17: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/17.jpg)
To get OBDD
Combine isomorphic subtrees
Eliminate redundant nodes (those with identical children)
Tree becomes a graph
![Page 18: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/18.jpg)
(O)BDDab + cd(ab) (cd)
a
b
c
d
0 1
0
1
0
1
0
0 1
![Page 19: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/19.jpg)
Make BDD for
(x y) z
![Page 20: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/20.jpg)
Combinational equivalence checking
For two circuits with single boolean outputs, makeBDDs for each circuit and see if they are the same
Of course the BDDs are built up by application of BDDconstruction functions and, or, not etc. NOT bymaking decision tree and then reducing
![Page 21: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/21.jpg)
BDDs
+ Many formulas (and circuits) have small representations
-Some do not! Multipliers- BDD representation of a function can vary
exponentially in size depending on variable ordering; users may need to play with variable orderings (less automatic)
+ Good algorithms and packages (e.g. CUDD)+ EXTREMELY useful in practice- Size limitations a big problem
![Page 22: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/22.jpg)
Represent a set of states
Just make the BDD for a corresponding formula!
![Page 23: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/23.jpg)
Represent a transition relation R
Remember that R is just a set of pairs of states
Use two sets of variables, v and v’ (with the primed variables representing next states)
Make a formula involving both v and v’ and from that a BDD bdd(R,(v,v’))
![Page 24: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/24.jpg)
What set of states can we reach from set P in one
step?
P Image(P,R)
{t s s P s R t}
R
R
RR
![Page 25: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/25.jpg)
Forward Image
P Image(P,R)
{t s s P s R t}
R
R
RR
bdd(Image(P,R),v’) = v bdd(P,v) bdd(R,(v,v’))
![Page 26: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/26.jpg)
Backward image
{s t t Q s R t}
bdd(Image-1(Q,R),v) = v’ bdd(Q,v’) bdd(R,(v,v’))
R
R
RR
Q
![Page 27: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/27.jpg)
So far
BDDs for 1) sets of states2) transition relation3) calculating forward or backward image
of a set
Need one last idea: iteration to a fixed point based on recursive description of CTL ops
![Page 28: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/28.jpg)
Symbolic MC of CTL
Compute set of states satisfying a formula recursively (and use BDDs as rep.)
consider , , EX, EF, EG, EU
define others
![Page 29: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/29.jpg)
CTL formula f H(f) set of states satisfying f
a (atomic) L(a) (cf.Lars)p S – H(p)p q H(p) H(q)
EX p familiar ?
![Page 30: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/30.jpg)
CTL formula f H(f) set of
states
satisfying f
EX p Image-
1(H(p),R)
![Page 31: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/31.jpg)
CTL formula f bdd for set of
states satisfying f
EX p v’ bdd(p,v’) bdd(R,(v,v’))
![Page 32: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/32.jpg)
Remaining operators
Recursive characterisation
EF p p EX (EF p)
![Page 33: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/33.jpg)
CTL
EF p p EX (EF p)
Start with the empty set of states, , as a first guess, and improve it by applying
p EX (.) to it
![Page 34: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/34.jpg)
Fixed point iteration (formulas)
S0 = falseS1 = p EX (false) = p
S2 = p EX (p)
S3 = p EX (p EX (p))
and so on
Will eventually terminate. Why?
![Page 35: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/35.jpg)
Now think sets
S0 = Ø = empty set of statesS1 = H(p) Image-1(Ø,R) = H(p)
S2 = H(p) Image-1(H(p),R)
Si+1 = H(p) Image-1(Si,R)
Will eventually terminate. Why?
![Page 36: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/36.jpg)
Fixed point iteration
P
![Page 37: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/37.jpg)
Fixed point iteration
p EX p
P
![Page 38: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/38.jpg)
Fixed point iteration
p EX (p EX p)
P
![Page 39: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/39.jpg)
Fixed point iteration
Evetually stops!
P. . . .
![Page 40: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/40.jpg)
LEAST fixed point
Started with a small set (empty, indeed) and made it larger.
All ok because
F(B) = H(p) Image-1(B,R) is monotonic
(i.e. if B B’ then F(B) F(B’))Write least y s.t. y = F(y) as y.F(y)
![Page 41: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/41.jpg)
EG
EG p p EX (EG p)
This time need to work downwards
![Page 42: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/42.jpg)
Fixed point iteration (formulas)
S0 = true
S1 = p EX (true)
S2 = p EX (p EX (true) )
and so on
Will eventually terminate. Why?
![Page 43: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/43.jpg)
Now think sets
S0 = S = the entire set of statesS1 = H(p) Image-1(S,R) S2 = H(p) Image-1(H(p) Image-
1(S,R) ,R)
Si+1 = H(p) Image-1(Si,R)
Will eventually terminate.
![Page 44: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/44.jpg)
Greatest fixed point
EG p p EX (EG p)
H(EG p)
= y. H(p) Image-1(y,R)
![Page 45: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/45.jpg)
EG
EG p p EX (EG p)
H(EG p)
= y. H(p) Image-1(y,R)
NB: We can do all of these operations using BDDs to represent the sets
![Page 46: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/46.jpg)
Fixed point interationin the other direction
P
![Page 47: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/47.jpg)
Fixed point interationin the other direction
P
p EX p
![Page 48: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/48.jpg)
Fixed point interationin the other direction
P
p EX (p EX p)
![Page 49: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/49.jpg)
Fixed point interationin the other direction
p
p EX (p EX p)
….
![Page 50: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/50.jpg)
EU
E (p U q) q (p EX (E (p U q) )
H(E (p U q) )
= y. H(q) (H(p) Image-1(y,R))
This is a generalisation of the EF case.Remember that E (True U q) = EF q
Exercise: define H (A(p U q)). See earlier slide
![Page 51: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/51.jpg)
All done with BDDS (and recursion and fixed point iteration)
![Page 52: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/52.jpg)
Concrete example
000 100 110 111
001 101 010 011
![Page 53: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/53.jpg)
Concrete example
000 100 110 111
001 101 010 011
0
1
2
3
4 6 7
5
EF p p = dreq q0 dack
(answer will be available later)
Exercise: calculate the set of states satisfying
![Page 54: Model Checking I I](https://reader036.vdocuments.us/reader036/viewer/2022062500/568150ea550346895dbf03d3/html5/thumbnails/54.jpg)
Concrete example
000 100 110 111
001 101 010 011
0
1
2
3
4 6 7
5
EG p p = (dreq q0 ) dackAlso calculate for